1. Home
  2. Knowledge Base
  3. General
  4. How to Handle Web Links in Emails and Texts

How to Handle Web Links in Emails and Texts

How to handle web links in email and texts

Here our are tips for how to avoid being phished, or having your credentials harvested.  These are steps that should be understandable and accessible to the majority of users.  Some of the steps assume you have a good understanding of how to “right-click” your mouse and copy a link, without actually clicking on that link.  If you are unsure about this, or any other aspect of the advice in this article, we recommend you do not proceed with that step, and ask us or someone else for help first.

  1. Don’t click on web links in unexpected SMS text messages

    • Just about anyone in the world can send you a text message , and your phone number is easily guessable, if not already on a bulk SMS spam list somewhere.  Text messages can contain web links, and smartphones will dutifully open any such link you click in their web browser application.  This is just one way to get you to visit a malicious web site, but it can be a quite effective way.
    • Unsolicited text messages that entice you to click on links are referred to as “smishing” (like SMS phishing).  One of the interesting things about smishing is that users are less surprised to see shortened web links (eg using services like bit.ly) in SMS messages, and it is much harder on a smartphone to check where a shortened web link is taking you before it takes you there.
    • Our governments tend to communicate with us via web sites, mainstream mass media, and (rarely but recently) via emergency alert channels that go, very loudly, to all mobile phones at once.  They have tended not to use SMS text messages in the traditional sense, although this is happening more often around things like the Covid-19 pandemic.
    • Sometimes government departments do send SMS text messages, eg to let you know if something is complete, or it is time for you to file a return.  However those (should) never include links for you to click on.  And if they do, you should not click on those.
    • So if you get a text message purporting to be from your government, or some official party like the World Health Organisation (WHO), do not click on any links in it.
    • This is a tricky one because we all get a lot of unsolicited emails, or emails we weren’t necessarily expecting to receive.
    • However, it is a good general maxim that you should not just click on links in emails.  Start from there, and then read on…

  3. Think carefully about who an email appears to be from, and what they’re asking you to do

    • Emails can be made to look like they are coming from anybody.
    • So just because it looks like your manager, or finance department, sending you an email, that doesn’t mean it really is from them.
    • More technical or experienced readers will know how to check who a mail is really from, and we won’t go into the detail of that here.
    • But start with the assumption that this mail may not be from the sender it appears to be from, and apply that suspicion to web links within unsolicited or unexpected emails.
    • And then, be even more suspicious if the mail is asking you to do anything with money, or anything outside of normal procedure, or anything unexpected or urgent.
    • If you are really quite sure that this might be a legitimate mail, and you want to follow the link it contains – STOP.  Don’t just click the link.
    • You need a way to see where the link is really taking you.  As with email sender addresses, web links can be made to look different on the page/screen from where they are really taking you.
    • The first thing you can do, instead of clicking on the link within the email, if you are on a computer with a normal mouse pointer, is to point your mouse at the link (without clicking the link) and wait for a second.  This is called ‘hovering’ over a link.
    • Most of the time, a little tooltip will appear that shows you the actual address of the web link you are pointing at.  That is the thing you want to scrutinise (more on this below).
    • Don’t follow this step unless you are really confident with what you are doing with you mouse.
    • If yes, right-click the link in the email (not the normal mouse button, but the other mouse button) .  If you do that you will normally see a pop-up context menu with an option that allows you to “copy the link address”.  This will copy the address to your copy-paste buffer, without actually opening the link.  Do this carefully because a normal mouse click will otherwise open the web link, which is what you’re trying to avoid right now.
    • NOTE that we are not copying the text of the link as it appears in the email itself – we are copying the thing that the link actually points to.
    • Then go to your web browser and open a new tab.  We recommend Chrome or Firefox as the most secure browsers to use following potentially unsafe web links.
    • Paste the link into the address bar of the new browser tab but don’t hit enter or ‘go’ yet.
    • The target ‘domain’ of a web link is the bit after the https:// and before the next forward slash /
    • So it looks something like https://anything_or_nothing.phew.co.nz/anything_or_nothing
    • The domain is the bit in bold – ie phew.co.nz – the last thing that appears before that slash (technically the third slash)
    • The question you are asking yourself is “does that look like a valid and legitimate domain that I really do want to visit?”
    • Examples of bad domains might be:
      • https://anything_or_nothing.phew.co.nz.badguys.com/anything_or_nothing
        • The domain here is effectively badguys.com (not phew.co.nz)
        • It sure looks a bit like phew.co.nz, but it isn’t!  phew.co.nz is in there, but it isn’t the real domain you are about to visit with that link.
      • https://anything_or_nothing.ph3w.co.nz/anything_or_nothing
        • The domain here is effectively ph3w.com (not phew.co.nz)
        • That 3 in the ph3w might look in passing like an “e” – maybe it wouldn’t catch the eye in the link in an email
        • But if you are looking closely at the domain you will spot that it just doesn’t look like a legitimate domain that you really want to go to
    • If it really does look like a valid and legit domain, then…
    • … and only then, you might hit enter or go.

  7. If you visit the linked location, do not enter any usernames, passwords or private information there

    • If you are visiting a web site/page from a link you got out of an email, you should not enter anything into such a page.
    • First check that there are no obvious warnings in the browser’s address bar, or elsewhere in the browser, for this site
    • If not, you should still think: “I must not enter
      • Any username or password (ie authentication credentials)
      • Financial information
      • Private or sensitive information
      • Just about any information (because you came here via a link someone sent you)
    • If you are being prompted for that – close the browser tab, don’t go back there.
    • Note that you might sometimes receive a link to a Google, SharePoint, Dropbox or OneDrive resource that requires you to authenticate before you access that resource.
      • If that is the case, do not enter your credentials.
      • Instead, close the browser tab.
      • Open a new browser tab and go to that site in the way you normally would (eg open Google Docs, or SharePoint via whatever shortcut or other means you normally use).
      • You should be prompted to log in to that site, which you can do safely if you have found your way to that site in the same way you normally do.
      • If you are not prompted to log in, that link you followed above was probably trying to phish you.
      • If you are prompted to log in, then once you are logged in you can go back and repeat the steps in 7 above to copy and paste the (actual) web link from the email into a new browser tab.
      • If you are still prompted to enter a username and password, the chances are you are being phished, and you should close the tab and forget about following that link (might not be the case, but that is the safest approach at this point).
      • If you are not prompted to log in, you will probably just be shown the resource you are hoping to see.
      • Still don’t enter any credentials or sensitive information unless you are super sure it is safe to.

  8. If you think you have spotted some phishing, or something else questionable, report it

    • You can report it to your IT or security team, and either you or they should consider reporting it to a central agency best placed to notify others and take appropriate action.
Was this article helpful?
Yes No

Related Articles

Need Support?

Can't find the answer you're looking for?
Contact Support
logo_footer

Copyright © 2025 phew Limited. All rights reserved.

Scroll to Top